Vite security vulnerability

[manojsridharsrinivasan]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

There is a reported security vulnerability in Vite 7.3.1 (GHSA-p9ff-h696-f583). The latest @angular/build version 21.2.6 still depends on Vite 7.3.1, which introduces a transitive dependency vulnerability in Angular CLI projects.

Related issue - GHSA-v2wj-q39q-566r

Minimal Reproduction

N/A

Exception or Error

vite@7.3.1 – Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket (high severity)

Your Environment

21.2.5

Anything else relevant?

No response

[alan-agius4]

Closed via #32953

[rgbweb]

Hi @alan-agius4, thanks for the quick fix. If I see it correctly, the fix has only been implemented for the latest Angular 21 branch. Unfortunately, the latest Angular 20 version is also affected. It references Vite 7.1.11. Is a fix planned for this as well?

[alan-agius4]

There are already PRs in flight for this: #32956 and #32955